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SXSl'laM AND METHOD FOR USB OF INTERNET AUTHENTICATION 
TECHNOLOGY TO PROVIDE OrMTS AUTHENTICATION 



6 VieldL of tlMi XAV€iaL*ti.on 

This invention relates to Wireless Internet Access 
systems, and In particular those based on UMTS 3G 
(Universal |1obilo Telecommunication Syst^ 3*^ Generation} 
10 mobile standards. 



Backgxouibd. o£ tbe Xnmntion 

15 The UMTS standards describe a particular method by which 
an end-user's piece of equipment (UE) is authenticated 
and also the mechanism by which the UE authenticates tho 
network <tQ prevent it connecting to bogus base 
stations) . These require particular signalling from the 

20 (Serving General Packet Radio Service Support Node) 

element to a UMTS HLR/AuC (Home l^ocation Register / 
Au t: hen t i oat i on Centre) • This Is covered in the following 
standards documents: 

as CI] TS 33.102 - 3rd Generation Partnership Project; 

Technical Specification Group Services and 
System Aspects; 3G Security; Security 
Architecture; (Release 1999) p and 

$0 [2] TS 24.008 - 3rd Generation Partnership Project; 

Technical Speoification Group Core Network; 
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Mobile radio interface layer 3 specification; 
Core Network Protocols - Stage 3; (Release 



5 Th^ Standards also recommend an algorithm set for euoh 
authentication functions: 



[31 TS 35,205 - 3rd Generation Partnership Project? 
Technical Specification Group Services and 

w System Aspects; 3G Security; Specification of 

the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPF authentication and 
key generation functions fl, fl*^ f2, f3r f4r 
f5 and £5*; Document Is General (Release 4), 

IS and 

[4] TS 35-206 - 3rd Generation Partnership Project; 
Technical Specification Group Services and 
System Aspects; 3G Security; Specification of 
the MILENAGE Algorithm Set: An exan^le 

20 algorithm set for the 3GPP authentication and 

key generation functions fl, fl*, f2^ fS, f4, 
f5 and fS*? Document 2: Algorithm Specification 
(Release 4) • 



25 However, this known approach has the disadvantage (s) that 
dae to the complexity of the existing standards and the 
relatively small market for such elements it i$ expensive 
to implement I* and generally based on bespoke software^ 
and in some cases bespoke hardware. 
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From patent publication no. WO 02/11467 there is known 
use of RADIOS (Beittote Authentication Oiai-In Oser 
service) and associated protocols to authenticate network 
Tccess for fixed end u^^ers and for end users who roam i" 
6 a wireless system. RADIUS is standardised by the IETF 
(Internet Engineering Task Force) in the document: 

[51 RFC 2865 - Remote Authentication Dial In User 
Service . 



n 



10 



The standards documents (lJ-t51 referred to above are 
hereby incorporated herein by reference. 



However, this known uae of RADIUS supports authentication 
for end users using DE associated with a computer such as 
16 a PC (Personal Con^juter) . It does not facilitate support 
of OSIM (UMTS subscriber Identity Module) cards in UE. 

A need therefore exists for use of internet 
authentication technology to provide UMTS authentication 
20 services related to USIMs wherein the abovementioned 
disadvantage (s) may be alleviated. 



In accordance with the present invention there is 
provided a system and a method for use of internet 
authentication technology to provide UMTS authentication 
as claimed in claim 1 and claim 15 respectively. 
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One system and method use of internet authentication 
technology to provide UMTS authentication services 
5 related to UMTS SIM cards (USIMs) incorporating the 
present invention will now be described, by way of 
example only, with reference to the accompanying 
drawing (s), in which: 



10 FIG. 1 shows a block schematic diagram illustrating 

signal sequencing in a prior art system to 
authenticate a user; 



FIG. 2 shows a block schematic diagram of a UTRAN 
16 Internet system illustrating the present invention; 

FIG. 3 shows a block schematic diagram illustrating 
signal sequencing during normal authentication 
process in the system of FIG* 2; and 

20 

FIG. 4 shows a block schematic diagram illustrating 
signal sequencing during anti-replay data 
synchronisation process in the system of PIG. 2. 



25 

Deserlp^on of Profened E]iibodiii»]ei1i^(8} 

The UMTS standards describe a particular method by which 
an end-user's piece of equipment (UE) is authenticated 
30 and also the mechanism by which the UE authenticates the 
network (to prevent it connecting to bogus base 
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s-tatiotis) . !Fhese require particular si^alling from the 
SG5N eletaent to a QMTS Home Location Register / 
Authentication Centre (hLR/AuC) * This is covered in the 
standards docuinents [11, [2]^ [3] & [4] referred to 
6 a]:>pve. 



As shovm in FIG. 1, the method of the UMTS standards 
utilises the network elements USXM 110, U£ 120, l^ode B 
130, mc 140, SGSD 150, HLR 160 and AuC 170. The 
10 authentication-relat:ed signalling effectively occurs 
between the USIM 110, 150 and AuC 170 « 



The AuC 160 generates a set of authentication and keying 
material, called an Authentication Vectors sets of 
15 Authentication Vectors are sent to the SGSN 150 by the 
AuC 170, at the request of the SGSIS. 

The authentication of a OB 120 occurs when it ^attaches' 
to the network: 

20 on an attexopted network attach from a UE 120/ the SGSN 
150 selects an existing Authentication Vector, or 
requests fresh Authentication Vectors from the AuC 170* 
The S6SN then supplies the random challenge value (RAND) 
and the Authentication Token (AUTN) values from the 

26 Authentication Vector to the USIM 110. 

The USIM uses a shared secret value (shared with the AuC) 
referred to as K, plus any other parameters demanded by 
the authentication algorithm (the UMTS standards supply 
30 an exas^le algorithm called MJIjENAGB, which has the 

values OP - Operator Variant Configuration Field - and 
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AHF - Authentication Manag^^nt Field) to authenticate 
the network by validating the AUTN value it ireceived* 
The authentication algorithm also includes a scheme to 
prevent replay-attacks (where a sequence of 

5 authentication messages is recorded, then re-played at a 
later time, in order to gain un-authorised access to a 
service) based on synchronised changing values in the AuC 
to the USIM (in the HILEHA6E algorithm thia is achieved 
using a changing sequence nimiber shared between USIM and 

10 AuC^ referred to as SQH) . 

If the DSIM authenticates the network successfully,, it 
generates an authentication result value (IlES) and sends 
it back to the SGSH, 



15 



The SGSH compares RES against XRES and if they match 
authentication compleLes and the UE is allowed onto the 
network. 



20 When the USIM authenticates the network,, it can detect 

out-of-synohronisation anti-replay-attack data between it 
and tihe AuC — in this case a re-synchronisation procedure 
is executed between the USIM and AuC and the 
authentication procedure is then re-e5J:eouted- 

25 

As will be described in greater detail below^ in its 
preferred embodiment the present invention is based on an 
Internet technology-based authentication server, using a 
cowttaercial radius authentication server platform, that 
30 implements the procedures such that; 
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• the SGSN fxinction within an Integrated Network 
Controller (IWC - coniprlsing RNC and SGSN 
functionality) can obtain the required 
authentication and keying material to authenticate a 

$ UE containing a USIMj and 

• the network authentication function within the OSIM 
can authenticate the IWC, 

Aa described in the present applicant's co-pending patent 
10 application no. US 09-432,624 (published in equivalent 

form a$ BP 1098539) and co-pending patent application no. 
GB 0114813. 9 r the contents of which applications are 
hereby incoxrporated herein by reference, a coioblned 
RNC/SGSN may be supported in a single network element. 
15 In this configuration the function of the H1»R and AuC can 
be replaced with a RADIOS baaed Internet authentication 
server, as described in the present applicant's co- 
pending patent application no- US 09-626,700 (published 
in equivalent form as WO 02/11467)^ the content of which 
20 is hereby incorporated herein by reference* 

The present invention la based on the realisation by the 
inventors that the earlier-described use of RADIUS to 
authenticate the UE for wireXess access, can be extended 

29 by extensive modification of the signalling procedures to 
support the use of OSIM cards in the UE, The signalling 
required to -Implement this in detail below. 

The RZUOIUS protocol allows for vendor-specific extensions 

30 to messages. Commercial RADIUS server software also 
supports the addition of software functionality (*plug- 
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in') to proce3s /create RADIUS messages, including 
attributes added as extensions to the RADIUS protocol - 
The present invention is based on the realisation by the 
inventors that the functionality of the UMTS AuC, and the 
6 associated signalling with the SGSN, can be replaced by 
extensions to the RADIUS protocol and a $oftware ^plug- 
in' on the RliDIUS server • 



Referring now to fig, 2, a wireless access user o£ the 
10 internet access system has a PC (Personal Coinputer) 205 
and UMTS user equipment tOE) 220 containing a USIM card 
210. The UE has a directly attached antenna 225 and is 
connected by typical wired data connection such as RS232r 
USB or Ethernet to the PC 205. The OE 220 and USIM 210 
15 are together commonly termed a mobile terminal^ operating 
in conjunction with the associated PC 205 (which is 
coaomonly termed terminal equipment) • 



The UB 220 communicaLes over a wireless link Uu with a 
20 base station or Node B 230 in an access network domain of 
a UTRAB^ netowrk* The Node B 230 communicates over a link 
Xub with an integrated network controller (INC) 240* As 
discussed above^ the INC 240 includes an RNC (Radio 
Network controller) 250^ which controls and allocates the 
28 radio network resources and provides reliable delivery of. 
user traffic between the Node B 230 and the UE 220^ and 
an SGSN (Serving General Packet Radio Service Support 
I^ode) 260, which provides session control. The SGSN 260 
incorporates a RADIUS element designated RADIUS client 
30 263 to provide authentication and other functions ^ 
will be described in greater detail below « 
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Thd INC 240 Is connected to an Internet protocol network 
265 and then to 9 UMTS access network operator 267, 
having a RADIUS server 270. The RADIUS server 270 
ft incorporates RADIOS Accounting Functions 270A, and 
Authentication Functions 270B and HLR Functions 270C 
(these functions are shown in dashed line in. FIG. 2 
because, as will be described in greater detail below, 
the functionality is provided in software in the RADIOS 
10 server, rather than by provision of a dedicated AuC and 
HLR as previously known) . The RADIUS server 270 is the 
server for both authentication and accounting functions. 
Thus, after authentication normally the user would 
communicate via the network 265 with target Internet 
1ft service provider 280 through its Layer 2 Tunneling 
Protocol Network Server LHS 280*. 

AS will be ea^Jlained in greater detail below, a link 290 
is effectively established between the USIM 210 and 
20 authentication functionality 27 OB within the RADIUS 
server 270, allowing authetication of the USIM 210 
without requiring a dedicated authentication centre and a 
dedicated home location register. 



26 The RADIOS Server 270: 

• Is provisioned with the luSI-derived User-Name 

derived from the numeric IM31 identifier within the 

USIM (e.g., for an IMSI value of 234151234567890 the 

RADIUS User-Name attribute might be 
30 "234151234567890__attach'') and also the set of 

security parameters required to support generation 
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of the various parts o£ a UMTS Authentication 
Vector. 

• Has Had its ilftDIUS attribute dictionary extended/ to 
Include a ^UMTIS-Authentication-Vector'^ attribute, 

fi containing RAND^ AUTK, CK> IK and XRES with the same 

functionality (size in bits) as the values defined 
in UMTS standards document [3] referred to above* 

• Has its RADIUS attribute dictionary extended^ to 
include a 'OMTS-Resynchronisation-Token' attribute, 

10 containing a value with the same definition as the 

AUTS parameter described in UMTS standards document 
[3] referred to above ^ 

• Has a software plug- in that supports generation of a 
OMTS-Authentication-Vector RADIOS attribute, ba^ed 

ifi on the provisioned security parameters and the 

dynamic anti-replay parameters. 

• Has a software plug-in that supports re- 
synchronisation of the dynamic anti-replay 
parameters with the DSIM, on reception of a UMT$- 

20 Resynchronisation-Token attribute - 

Referring now also to FIG* 3, the normal authentication 
process is as follows $ 

25 310 - The UB 220 initiates the attach procedure. 

320 - The SGSN module 260 within the INC 240 requests 
a single Authentication vector^ via a RADIUS 
Adcess-l^^qu'est mess^Lgcr;- the RADTUS'-t73€2f-Nami& 
3D attribute (see the IETF standards document [5] 

referred to above) contains a RADIUS user ID 
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derived from the numeric IMSl identifier within 
the asIM (e.g., for the IMSI value 
^^0123456789012345" the User-Name attribute 
would contain the value: 
«0l23456789012345_attach") , 

The RADIUS server plug-in derives a UMTS- 
Authentication-Vector attribute (mad© up of: 
RAND, ADTN, XRES, CK and IK values) based on 
the provisioned information and the dynamic 
anti-replay-attaok information. The attribute 
is returned to the SGSN module 260 within the 
INC 240 in an Access-Accept RADIUS message. 

330 - The USIM 210 authenticates the netMork, using 
RAWD and AUTN values received from the SGSN, 
then generates an authentication result value 
(RES) and sends it back to the SGSN module 260 
within the INC 240. 

340 - The SGSN module 260 within the ISC 240 compares 
RES against XRES and if they match 
authentication completes and the DE 220 is 
allowed onto the network. 

The following table describes how the RADIUS Access- 
Request message and the RADIUS Access-Accept message can 
be constructed: 
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Massaga 


ContahiBcl Attribula 


Tyw/Valw 


Notas 


AccesB-Requeet 


User-Name 
Ufier-Nam©-TVp« 


Octfit string 

Odel string 

IPAittfreto 

Entiitifirated 
value 


IMS! ftcm SIM cerd with -.attach' 
appenddd to It 

E>efoutt value insert^ by INC 

Identifies whdlher the U&er-Name 
vahie lapresenta an IMSI 


AoQ688-Acoe|A 


Vemlor-Spedflfi 
<UMTS- 
Aiithenttcatloiv 
vectoi) 


Odet String 


79-76 Byte concatenaOon Of 
auMeiHtoatkm mateHal aa da4bied In 
3GPPdpdcineetlon» 



The Octet String of the RADIUS Access-Accept we^^^go is 
constructed as shown in th^ following table: 



OcMs 

O i 2 3 



Type 


Lengfli 


vendoMD 


Vencfcir-iD (ocmflnued) 


Manuf.-Typa 


Manuf«-Length 



RAND (129 bi9 



CK(128bi9 



IK(128biO 



AUTN(128bH} 



The ^Type' field has a vendor-specific value (e.g.^ 26). 
The * Length' field has a typical value of 80- 
The 'Vendor-ID' field has the vendor's lANA-assigned 
value (e«g», 5586) » 
10 The ^Man\if :-Typ«Sf'^- (Manufacturer-Type) field has the UMTS- 
Authentication-Vector value of 14 • 
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The ^Manuf .-Length' field has a value in the range 74 - 
78. 

The Value field (RAND, CK, tK, ADTN and XRES) is 72 - 76 
octets of concatenated authentication material to be used 
by the INC in Access Authentication^ challenge and 
ciphering . 

Referring now also to FIG, 4, the anti-replay data 
synchronisation process is as follows: 

410 - The UE 220 initiates the attach procedure. 



420 - The SGSN module 260 within the INC 240 requests 
a single Authentication vector, via a RADIUS 

5 Access-^Request message? the RADIUS User-Name 

attribute (see the IETF standards document [5] 
referred to ahove) contains a RADIUS user ID 
derived from the numeric IMSI identifier within 
the USIM (e.gw for etn IMSI value of 

20 234151234567890 the RADIUS User-Name attribute 

might be ^234151234567 B90_attach'^) - 

The RADIUS server plug-in derives a UMTS- 
Authentication-Vector attribute (made up of: 
26 RAND, AUTNr XRESr CK and IK values) based on 

the provisioned information and the dynamic 
anti-replay-attaoJc information, the attribute 
is returned to the SGSN module 260 within the 
INC 240 in an Access-Acoept RADIUS message. 
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430 - The USIM 210 authenticates the network, using 
RAND and AUTN values ceceived from the S6SN 
260^ and it detects that the antl-replay-attack 
data is out of synchronisationr but all other 
5 data is correct. The USIM 210 sends a message 

to the $QSN 260 containing the value ADTS (see 
the UMTS standards document [2} referred to 
above), signifying that the anti-replay attack 
data is out of date. 

10 

440 - In this case the OSIM initiates the re- 
synchronisation procedure - 

450 - The SGSN module 2S0 within the IKC 240 requests 
15 a single Authentication vector, via a RADIUS 

Access-Request message; this message also 
includes the UMTS AUTS value in a OMTS- 
Resynchronisation-Token RADIUS attribute, which 
contains a hidden version of its anti-replay- 
M attack information from the OSIM- 



The RADIUS server plug~in re-synchronises the 
antl-replay attack information, then derives a 
UMTS-Authent teat ion- Vector attribute based on 
the provisioned information and the now back- 
in-sync dynamic anti-replay information. The 
UMTS-Authentication-Vector attribute is 
returned to the SGSN module 260 within the INC 
240 in an Access-Accept RADIUS message » 
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460 - The OSIM authenticates the network, using RRHD 
and AOTN values receiveid from the SGSM 260, 
then generates an authentication result value 
(RES) and sends it back to the SGSn module 
within the IWC. 

470 - The SGSN module within the INC compares RES 

against XRES and if they loatcsb authentication 
conipletes and the OE is allowed onto the 
network. 



The message sent from the USIM 210 to the SSSM 260 at 
step 430 above, signifying that the anti-replat-attack 
data Is out of date, is constructed as shown in the 
15 following table: 



Odsfs 

2 



Type Lenglh 


Vendor-ID 


Vendor-ID (contiruod) 


M^nut-Type 


ManuL-LdttSth 



AUT8(112I>H> 



The ''Type' field has a vendor-specific value (e.g., 26). 
The ^Length' field has a typical value of 22. 
20 The *Vendor-ID' field has the vendor's IMlA-assigned 
value <e.g., b586) . 
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The *Type' field has the DMTS-Resynchronisation-Token 
value of 15. 

The *Manuf .-Length' field has a value of 16. 
The Value field (AUTS) is 14 octets Of concatenated 
6 authentication material to be used by the RADIUS server 
270 in DSIM sequence number resynohronisatioh . 



It will be understood that by extending the signalling 
procedures as described above, EtADIUS may be used to 

10 authenticate a USIM card in a UE for wireless access in a 
UMTS system* by effectively establishing a link between 
the USIM and authentication functionality within the 
RADIOS server (as shown by the link. 290 in PIG. 2) 
without requiring a dedicated authentication centre {and 

16 a dedicated home location register) . 

It will be appreciated that the method described above 
for use of inteamet authentication technology to provide 
0MT3 authentication may be carried out in software 

20 running on one or more processors (not shown) in the 
RADIOS server 270, the SGSN module 260 and the PC 
carrying the OSIM 210, and that the software may be 
provided as a computer program element carried on any 
suitable data carrier (also not shown) such as a magnetic 

25 or optical computer disc. 

It will be understood that the use of internet 
authentication technology to provide UMTS authentication 
services related to OlflTS SIM cards (DSIMs) described 
30 above provides the following advantages: 
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• it; is substantially cheaper than prior art 

solutions, because 
V it is based largely on existing off-the-shelf 

Internet access authentication technology, modified 
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1. A System for use of internet authentication 
technology to provide UMTS authentication, the system 
comprising; 

Serving GPRS Support Node (SGStI) means in a UMTS 

network; and 

RAJDIDS server means, 
the SGSN means and the RADIUS Server means being adapted 
to support signalling therebetween whereby authentication 
of a C7&er Subscriber Identity Module {DSIM) may be 
performed in the RADIUS Server mean$. 

2 * The system of claim 1 wherein the SGSN means is 
integrated with Radio Network Controller (RNG) means in 
integrated Network Controller (iNC] means. 

3. The system of claim 1 or 2 wherein the UMTS network 
corngfirisea a UMTS Terrstrial Radio Access Network (UTRMS) . 

4. The system of any preceding claim wherein the SGSN 
means is adapted to send an Access -Request RADIUS message 
to request a UMTS Authentication Vector from the ElADIUS 
server means. 

5. The system of any preceding claim wherein the RADIUS 
Server means is adapted to generate authentication and 
keying material so as to authenticate a USIM within a 
UMTS UE^ according to UMTS standards. 
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6. The system o£ claim 5 wherein the RADIUS Server 
means is adapted to implement the MILENAGE algorithm. 

7. The system of alaim 5 or 6 wherein the RADIUS Server 
S m^ans is adapted to generate, vsing anti-replay-attaoX 

dynamic data, a UMTS Authentication Vector, for use by 
the S6SN means. 

8. The systeKi of claim 5 when dependent on claim 4 
W wherein the RADIUS Server means is adapted to support 

dynamic sequence number (SQtT) * 

9. The system of any preceding claim wherein the RADIUS 
Server means is adapted to generate a UMTS Authentication 

15 Vector in a RADIUS attribute within an Access-Accept 
RADIUS message for sending to the SGSN means. 

10. The system of any preceding claim wherein the S6SH 
means ia adapted to receive a UMTS Authentication Vector 

20 in a RADIUS Access-Accept message. 

11. The system of any preceding claim wherein the SGSH 
means is adapted to send information to re-Synchronise 
anti-replay-attaclc information within the USIM with the 

25 RADIUS Server means. 

12. The system of claim 11 when dependent on claim 4 
wherein 3G5M means ia adapted to send a UMTS- 
Resynchronisation-Token attribute in the Access-Request 

30 RADIUS message. 
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13. The system of claim 12 wherein the RADIUS Server 
weans is adapted to reset ant i-replay-at tack dynamic data 
^n,-l±ti0 with the USIM in response to the data received in 
the UMTS-Resynchronisation-Token. 

14- The system of claim 13 wherein the RADIOS Server 
means is adapted to inqplement the MILBNAGB algorithm* 
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is. A method for use of internet authentication 
technology to provide UMTS authentication, the method 
comprising: 

providing Serving GPRS Support Node (SQSN) means in 
8 a DMTS network? and 

providing RADIUS server Means « 
signalling between the SGSM means and the RADIUS Server 
means so that authentication of a User Subscriber 
Identity Module (USIM) is performed in the RADIUS Server 
10 means . 

16. The method of claim IS whezrein the SQSN means is 
integrated with Radio Network Controller (RNC) means in 
Integrated Network Controller (INC) means. 

15 

17. The method of claim 15 or 16 wherein the UMTS 
network comprises a UMTS Terrstrial Radio Access Network 

(UTRAN) . 

20 18. The method of any one of claims 15-17 wherein the 
SGSN means sends an Access-Request RADIUS message to 
request a UMTS Authentication Vector from the RADIUS 
server means. 

26 19. The method of any one of claims 15-18 whsrain the 
RADIUS Server means generate authentication and keying 
material so as to authenticate a USIM within a UMTS UB, 
according to UMTS standards. 

30 20. The method of claim 19 wherein the RADIUS Server 
means in^lements the MILENA6E algorithm. 
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21. The xaethod of claim 19 or 20 wherein th^ RADIUS 
Server means generates, using anti-replay-attack dynamic 
data^ a OMTS Authentication Vector and sends the it to 
6 the SGSH means. 

22* The XRethod of claim 19 when dependent on claim 18 
wherein the radios Server means supports dynamic sequence 
number . 

to 

23, The method of any one of claims 15-22 wherein the 
RADIUS Server means generates a UMTS Authentication 
Vector in a RADIUS attribute within an Access-Accept 
RADIUS message and sends it to the SGSM means. 

15 

24. The method of any one of claims 15-23 wherein the 
SGSN means receive a UMTS Authentication Vector in a 
RADIUS Access-Accept message. 

20 25. The method of any one of claims 15-24 wherein the 
SGSN means sends information to re-synchronise anti- 
replay-attacfc information within the USIM with the RADIUS 
Server means. 



26 26. The method of claim 25 when dependent on claim 18 
wherein the SGSN means sends a UMTa-Reaynchroni sat ion- 
Token attribute in the Access-Request RADIUS message. 

27. The method of claim 26 wherein the RADIOS Server 
30 means resets ant i-replay-at tack dynamic data in-line with 
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the USIM in response to the data received in the OMTS- 
Resynchronisat ion-Token . 

28. The method of claim 27 wherein the RADIOS Server 
s means implement the MILENAGB algorlthm. 

29* A BffiDlUS Server adapted to perform the method of any 
one o£ claims 15-28. 

10 30- A SGSK adapted to perform the method of any one of 
claims 15-'28. 

31. A computer program element comprising cofl^uter 
program means for performing the method of any one of 

15 claims 15*28. 

32. A system, for use of internet authentication 
techiiolugy Lo provide UMTS authentication, substantially 
as hereintoefore described with reference to FIGS. 2-4 of 

20 the acGorapanying drawings. 

33, A RADIUS Server, for use of internet authentication 
technology to provide UMTS authentication, substantially 
as hereinbefore described with reference to PIGS- 2-4 of 

25 the accompanying drawings- 

34, A SGSN, for use of internet authentication 
technology to provide UMTS authentication^ substantially 
as hereinbefore described with reference to FIGS. 2-4 of 

30 the accoiK^anylng drawings. 
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35. A n»thod, for session control in a wireless 
ccanmunicaticMi nebworlc, substantially as hereinbefore 
describeci with reference to FIGS. 2-4 of the accompanying 
drawings . 
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SYSTEM AMD METHOD FOR USE OF INTgRliBT AU THEMTICATION 
TECHHOLOGY TO PROVIDE DMTS ftPTHEHTICftTIOW 

6 

System (FIG. 2> and method fpJf use of Internet 
authentication technology to provide OMTS authentication. 
An SGSN (260) in an Integrated Network ContoroXler (240) 
in a OMTS network and a RADIOS server (270) axe adapted 
10 to support aignalltng therebetween whereby authentication 
of a DSIM is performed in the RADins Server. This allows 
a conventional Authorisation Centre (RuC> to replaced by 
the RADIUS Server, and it is substantially cheaper, 
because it is baaed largely on existing off-the-shelf 
16 Internet access authentication technology, modified to 
this purpose. 
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